VYPR
← All advisories
Low severity3.5OSV Advisory· Published Apr 22, 2024· Updated Apr 15, 2026

CVE-2018-25101

CVE-2018-25101

Description

A vulnerability, which was classified as problematic, has been found in l2c2technologies Koha up to 20180108. This issue affects some unknown processing of the file /cgi-bin/koha/opac-MARCdetail.pl. The manipulation of the argument biblionumber with the input 2"> leads to cross site scripting. The attack may be initiated remotely. The identifier of the patch is 950fc8e101886821879066b33e389a47fb0a9782. It is recommended to upgrade the affected component. The identifier VDB-261677 was assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in Koha's opac-MARCdetail.pl allows attackers to inject arbitrary JavaScript via the biblionumber parameter.

Vulnerability

Description CVE-2018-25101 describes a reflected cross-site scripting (XSS) vulnerability in l2c2technologies Koha versions up to 20180108. The issue resides in the file /cgi-bin/koha/opac-MARCdetail.pl, where the biblionumber parameter is not properly sanitized. An attacker can inject arbitrary HTML and JavaScript by crafting a URL with a malicious biblionumber value, such as 2">.

Exploitation

This vulnerability can be exploited remotely without authentication. An attacker needs to trick a victim into clicking a specially crafted link that includes the malicious biblionumber parameter. The injected script executes in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the user's browser. This could compromise user sessions, redirect users to malicious sites, or steal cookies and other data. The vulnerability is rated low severity (CVSS 3.5) due to the need for user interaction.

Mitigation

The vulnerability is fixed in commit 950fc8e101886821879066b33e389a47fb0a9782 [1]. Users are advised to upgrade their Koha installation to a version including this patch. There are no known workarounds; upgrading the affected component is recommended.

References
  1. Bug 19319: Reflected XSS Vulnerability in opac-MARCdetail.pl · l2c2technologies/Koha@950fc8e

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
950fc8e10188
https://github.com/l2c2technologies/kohavia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.